The ISACA believes that UK businesses should report data loss and breaches on a quarterly basis, tying them in with the publication of information on financial performance and culminating in an annual report.

The justification for this arrangement is that it would stop individual businesses coming under the media scrutiny that would follow individual mandatory reports of data loss, if they were given out in real time. This setup would also benefit shareholders and company workers, as they could be made aware without there being a wider outcry, according to the ISACA’s Rolf von Roessing.

Mr von Roessing said that enforcing mandatory reports in the event of security breaches was definitely a step in the right direction, but creating quarterly announcements would cause less damage to the reputation of firms and would also preserve share prices in the long term.

Mr von Roessing believes that there is general support for this movement amongst business leaders from around the world and that this means a growing acceptance of the fact that data loss and security breach scandals need not lead to scapegoating and crucifixion in the eyes of the press.

The ISACA accepts that businesses and the wider public must be educated about the dangers of security breaches and data loss, but it believes that it is more important to show that businesses are able to come back from such incidents wiser and better equipped to deal with threats in the future. It says that widely criticising a business can destroy its reputation and ultimately become more damaging than the data loss itself, which is ultimately undesirable for all parties.

The debate over mandatory data loss reporting is ongoing and new opinions are being added at all times, although it looks like the UK is certainly moving towards a change in this area.

ISACA joins mandatory data loss reporting debate is a post from our Online Backup blog. Contact us today for business continuity consulting.

The kit not only damages businesses and individuals by stealing private data, but it also pulls information right back to the two hackers who wrote the malicious software, bypassing any hackers who distribute the software, effectively using them as unaware middlemen, who cannot necessarily benefit from the phishing attacks.

The malicious genius of the software is that its creators can sit back and watch the stolen data pour in without having to run their own phishing attacks, as hackers from around the world who have begun sharing the kit, once it was distributed via a notorious forums, will be doing all of the work for them.

Security vendor Imperva says that over 200,000 copies of the software have already been downloaded and although the small phishing sites which take advantage of it will be shut down after harvesting information from a few hundred unsuspecting users, the reach could extend much further.

By basing the power of the phishing kit in cloud computing the hackers have created a data theft network that will be almost impossible to eradicate, because there is no central server controlling the whole show. Instead thousands of individual hackers are all exploiting one another and constantly feeding data to the original creators, according to Imperva’s Amichai Shulman.

Authorities will be able to target individual phishing campaigns based on the new toolkit, but the eradication of a single campaign will not impact upon the dozens of others that are still up and running and so it could be the case that a running battle is fought well into the future, according to Mr Shulman.

Basing a phishing toolkit on the cloud computing model is certainly sensible from the twisted point of view of the hackers and ideally it will continue to generate new campaigns and harvest data for its creators. This could signal the dawn of a new era in the fight for data security.

Cybercriminals harness cloud techniques for phishing attacks is a post from our Online Backup blog. Contact us today for business continuity consulting.

The MoD admitted the serious loss after Lewis PR made a request for statistics under the Freedom of Information Act. When broken down, it was revealed that 120 of the total were stolen while the greater majority were simply lost through carelessness.

Of the 340 laptops that went missing, only 25 were eventually recovered and more than 50 per cent were unencrypted, leaving the data open to exploitation. Further data losses occurred via other portable storage solutions, with 215 thumb drives, 593 optical disks, 13 smartphones and 96 hard drives also listed as lost or stolen over the same period.

Other government departments were implicated, with the Department for Work and Pensions responsible for the loss of 71 laptops and 75 smartphones, whilst the Department for Transport had recorded the loss of 39 PDAs, together with 38 laptops.

A total of 11 governmental departments contributed statistics and between them 518 laptops were recorded as lost or stolen, in addition to 932 other portable storage devices. This has cost the country nearly a million pounds.

The worrying nature of these revelations has been touched upon by numerous security experts and a number have pointed out that the government’s various departments have clearly failed to address the problems of data security and loss prevention in any appropriate manner, whilst at the same time putting national security at risk.

Many believe that the statistics show incompetence and a lack of respect for private data, with human error being the most notable contributing factor to data loss in the public sector. The lack of widespread encryption was identified as making it simple for veteran criminals to access data on lost or stolen devices.

Data breaches are known to cost businesses and organisations millions of pounds and although the material cost of the government’s losses has been calculated, it is unknown precisely how much the loss of the associated data could be worth in real terms.

MoD criticised over laptop data loss statistics is a post from our Online Backup blog. Contact us today for business continuity consulting.

Although there is a general move towards greater understanding of technology amidst staff within both the public and private sectors, the ISF believes that there is still no base standard by which actions can be measured and thus it can be difficult to account for all eventualities in a given security system.

The ISF believes that the only way in which to tackle the issue is to give employees a greater sense of responsibility over any data which comes into their care, which should help to keep private information and intellectual property secure and uncompromised by data loss.

The management of data security within a given business can often encompass multiple platforms and dramatically different operational environments and the risks need to be thoroughly examined.

The ISF points to the increasing prevalence of smartpones and PDAs which are issued by businesses or used as the personal property of employees to access business networks. It believes that the distinction between private and corporate data is become less clear and that this is leading to serious data protection issues.

The ISF’s Mark Chaplin said that security was being weakened because of devices which combine connectivity with computing for business and personal use, with social networking sites, the cause of greatest concern for most IT professionals charged with protecting data.

Mr Chaplin said it was far too easy for employees to distribute private data via such devices in a way that can prove damaging to the business as a whole.

Mr Chaplin believes that the only way to confront this issue is to broaden the horizon of data security and consider all eventualities across the multiple platforms that have access to information.

Businesses should thus take a positive approach to data security which involves education and training as well as innovation, according to the ISF.

Data security threatened by diversity of platforms is a post from our Online Backup blog. Contact us today for business continuity consulting.

Accidental data loss occurs with worrying regularity when users store sensitive information on portable storage devices and then proceed to lose them, but now malicious parties are actively looking to exploit human error in engineering security breaches, according to RSA’s Uri Rivner.

Mr Rivner identifies a general lack of awareness amongst staff, many of whom have access to data wherever they go thanks to smartphones and laptops. He says that this makes them ripe for exploitation by criminals who can get viruses and malware onto a portable device used out of the office with relative ease.

Businesses are being forced to count on technology which cannot adequately protect them from the ever evolving threats. By targeting staff with phishing and spam campaigns, criminals can slip into a system via the back door and harvest data with little chance of being detected in the short term, according to Mr Rivner.

Mr Rivner identifies the business dilemma which means that firms cannot protect themselves from such attacks because total security would mean preventing staff from accessing internal systems remotely which would have a negative impact on productivity.

It is said that a multi-tiered approach to data loss prevention and security is the only way for businesses to cope in the current climate, with employee training playing its part alongside improved data sharing and storage technology.

Mr Rivner believes that the ability to safely share data is key to combating the criminals and is something that relatively few businesses can currently claim to adequately manage. Automating security measures may help, but he says that protection must develop organically and must possess the ability to adapt in order to match the increasing sophistication of the attacks.

Over the next ten years, Mr Rivner believes that businesses will be looking to staff in order to form their security strategies, with adequate data protection only possible if the likelihood of human error is minimised.

Data breaches aim to exploit human error is a post from our Online Backup blog. Contact us today for business continuity consulting.

It has also been suggested that the ICO’s power to fine those found to have contravened the rules of the Data Protection Act sums of up to half a million pounds is far from adequate and cannot be seen as a suitable deterrent.

This latest criticism of the ICO and the legislation with which it enforces data protection standards comes from Stewart Room, a leading legal force at Field Fisher Waterhouse. Mr Room spoke out at an event, highlighting what he sees as the ineffectiveness of the ICO, with businesses simply avoiding accountability by obscuring the details of a data loss.

Mr Room said that because there was no legal mandate for businesses to notify the ICO in the event of data loss and security breaches it was unlikely that firms would choose to do so when the result could be a £500,000 fine.

Organisations have a tendency to cover up their failings in the hope that the ICO will not become aware of the incident in the future and even when their misdemeanours are revealed, the ICO cannot act upon such failure to disclose because reporting is still not a requirement.

Mr Room added his voice to the growing number of experts who believe the ICO should be able to penalise firms under an uncapped system. This could result in far more substantial fines that should prove to be a more effective mechanism by which to bring even the largest organisations in line with best practice.

Internet Service Providers (ISPs) will become the first group of businesses that are required to report data loss and security breaches to the ICO next March, but according to some observers, this change will actually make little difference because the firms claim they already contact the ICO in the event that problems are detected.

A spokesperson for the ICO said that the organisation would be looking to the government for future extensions to its powers and in the meantime would be focusing its attentions on the further education of the public in order to instil data protection best practices in the wider population.

ICO lobbied to make data loss reporting a requirement is a post from our Online Backup blog. Contact us today for business continuity consulting.

The 10 per cent of trusts that received an amber rating in relation to their data security measures will not be able to gain access to the N3 network or the Spine, the latter of which is set to become a national store of patient data aimed at aiding diagnosis and treatment no matter where a citizen seeks medical assistance.

Hytec, a firm that both aids and analyses local authorities and the NHS in the context of data systems and networking, has compiled the report and rated each of the NHS trusts according to the Information Governance Statement of Compliance (IG SoC) tests. A score of 40 to 69 per cent in the IG SoC will result in an amber rating, which is not deemed to be safe enough to allow amber rated trusts access to certain NHS systems.

Any business or organisation that wishes to take advantage of the IT services provided by the NHS must undergo testing in order to prove its compliance with the requirements of IG SoC. With 10 per cent of trusts failing to meet these, it seems that there are some serious internal issues that need to be addressed.

Over the past three years more than 300 data breaches, losses and thefts have been reported to the Information Commissioner’s Office (ICO) by the NHS. This figure accounts for over 30 per cent of the reports dealt with by the ICO and, as such, the NHS is frequently criticised for its repeated failings in this area.

Hytec’s Alan Hunt said it was clear that the NHS could not hope to guarantee patients that their data would remain protected and uncompromised whilst in its care if as many as one in 10 of its trusts could not meet the basic security level outlined in the IG SoC.

One in 10 NHS trusts deemed to be lacking adequate data security is a post from our Online Backup blog. Contact us today for business continuity consulting.

74 per cent of UK staff believe that the government should be responsible for increasing general levels of data security around the country, according to a survey authored by Sourcefire and Dynamic Markets.

Since the coalition government was formed, there have been several high profile figures addressing the problem of data protection head-on, with both Deputy Prime Minister Nick Clegg and minister Baroness Pauline Neville-Jones discussing the most appropriate approach to handling public access to personal information whilst simultaneously increasing levels of security across the board.

Specialists working in IT and data security are unconvinced by the government’s current efforts, with 60 per cent expressing their dissatisfaction with the data protection projects currently in progress. 36 per cent of professionals believe that the government is using such schemes as pure publicity, with very little tangible progress made as a result.

Opinions on the matter are divided, with many believing that the policing of the internet is an unrealistic goal whilst others appear to be expecting at least some level of government intervention and protection.

Lawyer Jonathan Armstrong said that most members of the public are being misled by firms claiming to protect private information and payment details. He believes that in most cases these promises are not kept and reaffirms that when data loss or theft exposes a business, it can be extremely damaging.

Mr Armstrong believes that there is already adequate legislation in the Data Protection Act to mandate adequate data protection, but argues that there are currently few who are or appear to be willing to pursue and to police this problematic area.

Sourcefire’s Dominic Storey said that a balance between regulation and operative freedom had to be struck in order to free businesses and organisations to carry out their core activities without becoming overly entangled in administration and red tape. It would seem that a back to basics approach may be required in the short to medium term.

Report questions government involvement in fight for data security is a post from our Online Backup blog. Contact us today for business continuity consulting.

Topping the chart, with the fewest attacks pro rata, was India, with only 52 attacks recorded for every 1000 PCs, suggesting that criminals are finding it easier to harness infected machines within organisations as well as those owned by individuals in the UK than in many of its contemporaries.

SecureWorks’ Jon Ramsey said that criminals were controlling vast domestic botnets in most nations around the world and it was because of unchecked vulnerabilities that many businesses were leaving themselves open to exploitation.

Mr Ramsey also pointed out that by allowing computers to become and remain infected and malleable, malicious parties were being given opportunities to attack others.

There are a range of factors that influence the number of cyber attacks and data thefts that occur within a country, including the average connection speeds and the way in which internet service providers (ISPs) protect their users and detect threats. The distribution of operating systems also plays a part, as most hackers target Windows in order to ensure the most widespread levels of infection.

SecureWorks concluded that although the threats are significant, in many cases avoiding infection can be as simple as following the basic rules of computer security whether at home or at work. This includes regularly updating data security software to combat new threats and only accepting downloads and attachments from sources you trust whilst avoiding unsolicited emails.

SecureWorks’ Don Smith said that cyber attacks can not only compromise precious data within an organisation, but also impact upon productivity and revenue as the ripples spread. Mr Smith believes that many businesses only act on security flaws once they have been exploited by a cyber attack and that this means that some incidents are entirely avoidable.

Mr Smith suggests that businesses need to take a multi-faceted approach to data security and data loss prevention, incorporating standard measures with modern analytical tools and encryption techniques to ensure that all systems are water tight and thus far more difficult for criminals to infect.

UK ranked fifth in cyber attack survey is a post from our Online Backup blog. Contact us today for business continuity consulting.

Anyone who regularly banks online is at risk from the malware, which has the ability to harvest passwords and customer numbers which then can be used to make transactions within an individual’s account which seem legitimate to the bank, but are actually the work of criminals.

One out of every 500 computers in the UK is infected with the Silon.var2 malware, whilst one in 5000 has Agent.DBJP onboard, according to security firm Trusteer. This penetration level is much lower than in the USA, but as a result of the regional, small scale targeting it has been much harder for the large security vendors to react to what seems to be a limited, local issue.

Two botnets based in the UK have also been identified and the specificity of these is equally troubling, as UK banks seem to be the only target, with UK-based computers being harnessed to make the attacks. This tactic is another that aims to circumvent the conventional malware detection process of anti-virus firms and it seems as though the criminals have been able to work around many security systems that would usually guarantee the protection of personal data.

The group behind this malware are targeting UK citizens through spam campaigns which centre around local issues, as well as piggybacking on formerly legitimate websites which have become compromised.

Trusteer’s Mickey Boodaei said that a small number of UK banks were being targeted by the current campaign, with between three and seven being hit at the same time, as opposed to the hundreds of financial institution which can be targeted by the better known data theft tools which are thus largely defeated by the anti-virus vendors.

The small group of target banks are repeatedly attacked for up to nine months at a time, according to Mr Boodaei, before the focus of the criminals changes and the malicious software evolves.

UK financial data targeted by malware campaign is a post from our Online Backup blog. Contact us today for business continuity consulting.